Although it may seem an offense that could be equated with taking extra pens or copy paper from the office, it can have negative impact: Poorly implemented cryptomining code can hamper a computer's performance.

These kinds of attacks - referred to as cryptojacking - use victim's computers to generate random hashes as part of the proof-of-work transaction systems for virtual currencies in return for a reward payment.

Plus, if the mining code has actually been loaded on an endpoint using a vulnerability or a phishing attack, it could be an entry point for more harmful code.

IBM says it has seen a decline in so-called browser-based cryptojacking attacks. Those occur when attackers, for example, compromise a website and seed malicious JavaScript into a page. When someone visits the page, the JavaScript runs, pilfering computer power for the inglorious job of generating random hashes.

Last year, browser-based mining outpaced the malware-based variety by a ratio of two to one, writes Charles DeBeck, a strategic cyber threat analyst with IBM. But that's changing. Instead, it appears that threat actors favor trying to install mining code on computers.

"As our data shows, browser-based cryptojacking was big in 2018," DeBeck writes. "But as we moved into 2019, our data started showing a decline in that type of attack and a return to malware-based cryptojacking. A number of factors could be contributing to this shift."

Profitability Falls

IBM as well as other security companies have noticed that cryptojacking efforts have tapered as the value of virtual currencies has fallen. Since December 2017, when bitcoin peaked at around $20,000 per coin, the value of it and other cryptocurrencies has fallen 75 percent or more.

That has curbed the profitability of JavaScript miners. They're beneficial for attackers in that compromising a high-traffic website can mean large numbers of computers are temporarily part of their mining network - as long as the particular web page remains open - but each individual computer is generating virtual currency at a lower cash-out rate.

At first, such mining efforts escaped scrutiny by endpoint security software, although some vendors have now developed capabilities to notify users when it is happening.

"Since the browser is merely an application on a device, it cannot generate the same computing power as infecting the actual device," DeBeck writes. "As a result, this type of cryptojacking takes much longer to generate each coin, which may be incentivizing threat actors to refocus on malware infections to speed things up."

Another incentive for the move to malware-based mining may be the halt to the Coinhive project. Coinhive's JavaScript code mined the privacy-focused currency monero. It frequently turned up on hacked websites because it could be incorporated by anyone into a website (see: Cryptocurrency Miners Exploit Widespread Drupal Flaw).

The project proved controversial because hackers inserted it into websites without permission. The code was freely available to install, but Coinhive took a 30 percent share of mining rewards even if it was on a hacked site, which some maintained was unethical.

"With Coinhive gone, threat actors would have to go to other script providers," DeBeck writes. "While there are many other providers of the same sort of scripts, the removal of Coinhive could affect the overall ability of the technically unskilled to create web-based cryptojacking attacks."

The Next Stage: Fileless

Most of the tips that IBM has for dealing with malware-based cryptominers are likely already being employed by enterprises. Among those tips: Update intrusion detection and prevention systems with signatures to block cryptojacking scripts and disable JavaScript where feasible.

But if cryptomining proves meddlesome, admins can also restrict outbound calls to known crytomining "pools," the term for groups that combine their mining power and collectively share payouts. Threat intel providers are a source for that data.

IBM's X-Force Intelligence Threat Index

IBM is predicting that cryptomining will evolve. To wit: GhostMiner, which is a fileless miner that resides only in memory.

"It uses PowerShell evasion scripts that allow it to run from memory without leaving any files on the victim's devices," according to IBM's X-Force Intelligence Threat Index 2019, which was released in February. "It contains advanced process-killing functions, executed via PowerShell, to detect and eliminate other coin-mining infections that may be present on the same device, so it can maintain exclusive access to system processing power."

Going fileless and relying on scripts makes defense harder, as it may be possible to evade AV detection, IBM says. This PowerShell approach, often referred to "living off the land" because it doesn't involve the introduction of other code, has proved tough for organizations to defend against, particularly when attackers use this method to laterally move through systems.

"With PowerShell taking on a larger role in adversarial toolsets, its use and abuse is reminiscent of the risk that arose when attackers started relying on JavaScript," according to the report.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.